Open mjmccarn opened 1 year ago
Hi @mjmccarn - Interesting idea, but:
More admins would follow this practice if the scan URL from admin/overview went directly to the specific results for each server.
Do you really think admins that aren't inclined to type their own URL in at https://scan.nextcloud.com after clicking the existing link are going to jump through an extra setup step to add the special UUID? I have my doubts. :-)
I do think being able to direct link to an auto-filled in target URL field and/or call the underlying scan.nextcloud.com API would be a convenient addition. Unfortunately overwritehost
isn't always in-use (configured), and there could be multiple trusted_domains
so we'd probably guess the "right" external URL about as much as we'd guess it wrong.
Do you really think admins that aren't inclined to type their own URL in at https://scan.nextcloud.com after clicking the existing link are going to jump through an extra setup step to add the special UUID? I have my doubts. :-)
Actually yes, I do.
The difference is between taking an extra step once, when time permits, vs taking an extra step over and over and over - sometimes when time pressure is high.
My nextcloud upgrade procedure requires me to update (and record) the scan results with every point-level upgrade. Since the scan became available I have only missed re-scanning when time pressure got in the way.
Fair enough. Can you send along your proof of concept as a PR so it can be considered for merge? Doesn't have to be perfect - it'll get reviewed and we won't be shy about making suggestions. :-)
How to use GitHub
Is your feature request related to a problem? Please describe.
Describe the solution you'd like "our security scan" on the admin overview page should link directly to the server's results
This can be done by:
occ support:report
to consider 'scanresult' a sensitive value (not covered here)Proof of Concept
config/config.php (for this proof-of-concept I included "/results/" in the config.php setting for 'scanresult', but this feels a bit kludgy...)
apps/settings/templates/settings/admin/overview.php
<?php print_unescaped($l->t('Check the security of your Nextcloud over our security scan ↗.', ['https://scan.nextcloud.com']));?>`
<?php print_unescaped($l->t('Check the security of your Nextcloud over our security scan ↗.', ['https://scan.nextcloud.com'. \OC::$server->getSystemConfig()->getValue('scanresult')]));?>
Optimally
Suggested alternative language:
If "scanresult" is
af3a7d24-4033-4dca-8b05-52bd28c39382
then the message would change to Check and update your [Nextcloud security scan results ↗] (https://scan.nextcloud.com/results/[value-of-scanresult-from-config.php])
OTHERWISE use the current language: Check the security of your Nextcloud over [our security scan ↗] (https://scan.nextcloud.com/).
Describe alternatives you've considered This could also be addressed by making changes to both the web server at scan.nextcloud.com and the admin/overview hyperlink to securely pass a servername value (perhaps
overwritehost
) to the scan server search box